The Network and Information Security Directive 2 (NIS 2) (Full name: "Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high general level of cyber security in the Union, for amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972 and repealing Directive (EU) 2016/1148 (NIS 2 Directive)'' is the first part of pan-European cybersecurity legislation. Its specific goal is to achieve a high general level of cyber security in the member states of the European Community.
NIS 2 will set the baseline for cybersecurity risk management measures and reporting obligations in all sectors covered by the directive, such as energy, transport, healthcare and digital infrastructure.
The revised directive aims to remove differences in cybersecurity requirements and the implementation of cybersecurity measures across Member States. To achieve this, it lays down minimum rules for a regulatory framework and sets out mechanisms for effective cooperation between the relevant authorities in each Member State. It updates the list of sectors and activities subject to cybersecurity obligations and provides remedies and sanctions to ensure compliance.
The directive will formally establish the European Cyber Crisis Liaison Network, EU-CyCLONE, which will support the coordinated management of large-scale cyber security incidents.
The measures are based on an "all-hazards approach" that aims to protect network and information systems and the physical environment of those systems from incidents and include "at least" the following:
- a) policies for risk analysis and information system security;
- b) incident handling;
- c) business continuity, such as backup and disaster recovery management and crisis management;
- d) supply chain security, including security-related aspects relating to the relationship between each entity and its direct suppliers or service providers;
- e) security in the acquisition, development and maintenance of network and information systems, including processing and disclosure of vulnerabilities;
- f) policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
- g) basic cyber hygiene practices and cyber security training;
- h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
- i) human resources security, access control and asset management policies;
- j) the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communications and secure emergency communication systems in the entity, where appropriate.
Deadlines: By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply these measures from 18 October 2024. Directive (EU) 2016/1148 (the NIS Directive) is repealed with effect from 18 October 2024.
Important information: According to Article 20 (Governance), the governing bodies of major and important entities must approve the cybersecurity risk management measures taken by those entities, monitor their implementation, and "may be held liable for violations." NISv2 in Article 34(4) provides for the following fines: Member States shall ensure that, where they breach Article 21 or 23, the main entities are subject, in accordance with paragraphs 2 and 3 of this Article, to administrative fines of at least 10,000 000 EUR or to a maximum of at least 2 % of the total worldwide annual turnover in the previous financial year of the enterprise to which the main entity belongs, whichever is higher.
According to Article 20, Member States shall ensure that "members of the management bodies of essential and important entities are obliged to undergo training" and shall encourage essential and important entities to offer such training to their employees on a regular basis so that they acquire sufficient knowledge and skills which to enable them to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity.
Important note for non-EU entities: According to Article 26 (Jurisdiction and Territoriality), if an entity is not established in the EU but offers services within the EU, it appoints a representative in the EU. The representative is established in one of the Member States where the services are offered. Such an entity is deemed to fall under the jurisdiction of the Member State in which the representative is established. In the absence of a representative, any Member State in which the entity provides services may take legal action against the entity for breach of this Directive.
What can we do for you and what services do we offer regarding the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/2555 (NIS 2)?
- a. Comprehensive verification and diagnosis of your compliance with the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/2555 (NIS 2). (NIS 2 gap analysis)
- b. Security consulting on already discovered inconsistencies and findings how best to tackle these deficiencies.
- c. Trainings and seminars aimed at familiarizing staff with the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/2555 (NIS 2).
- d. Possibility to purchase a ready-made questionnaire prepared by us, which questionnaire can serve you to identify and analyze your own environment and arrive at the differences between your organization and the standard yourself. The questionnaire is easy and convenient to use and can be conducted as an internal audit by your organization. If necessary, you can combine this service with our consulting service to achieve the best and most effective results.
Compliance with the Network and Information Security 2 (NIS 2) Directive 2020/0359 COM(2020) 823 Directive (EU) 2022/2555 (NIS 2) is a vital step in your development in response to the rising threats associated with the integrity, confidentiality and availability of the information at the right time for you!
Reduce the risk of your information security to the level acceptable to you and trust our many years of experience in providing consulting services on information security. If you have any questions or need advice on NIS 2, please contact us.